Index: modules/form_mail.module
===================================================================
--- modules.orig/form_mail.module	2005-10-01 17:08:48.000000000 +0200
+++ modules/form_mail.module	2006-01-09 17:51:11.000000000 +0100
@@ -45,7 +45,11 @@
   unset($edit["op"]);
   foreach ($edit as $key => $value) {
     if ($key == "to" && variable_get("form_mail_custom_to", 0)) {
-      $to = $value;
+      $reg_exp = variable_get("form_mail_reg_exp", '');
+      if ($reg_exp == '' || ereg($reg_exp, $value))
+        $to = $value;
+      else
+        drupal_set_message(t("The recipient address is invalid."));
     }
     elseif ($key == "body") {
       $body = $value;
@@ -70,6 +74,7 @@
 
 function form_mail_settings() {
   $output = form_textfield(t("Email recipient"), "form_mail_email", variable_get("form_mail_email", ""), 80, 300, t("The email address which should receive all form submissions when not otherwise stated in the form."));
+  $output .= form_textfield(t("Regular expression of valid recipient addresses"), "form_mail_reg_exp", variable_get("form_mail_reg_exp", ""), 80, 300, t("A regular expression to be matched on the recipient address. Use something like <tt>yourdomain\\.com$</tt> to prevent spammers from abusing your form."));
   $output .= form_checkbox(t('Allow custom recipient'), 'form_mail_custom_to', 1, variable_get("form_mail_custom_to", 0), t("Whether to allow setting the recipient of the email from the form."));
   return $output;
 }